feat: add Claude Code hooks integration#13
Open
nandanugg wants to merge 6 commits intocortexkit:mainfrom
Open
Conversation
Add install/uninstall scripts that set up AFT hooks for Claude Code: - Tool interception for Read, Grep, Glob via PreToolUse hooks - CLI wrapper for semantic commands (outline, zoom, call_tree, callers, etc.) - Global AFT.md instructions so Claude learns to use AFT for context savings Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add MANDATORY section emphasizing AFT-first approach - Add Decision Tree for quick command selection - Rename "Best Practices" to "Rules (NOT suggestions)" - Add Context Protection section to prevent context exhaustion - Clarify that AFT applies to all file types, not just code Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add prominent "AFT applies to ALL file types" note in MANDATORY section - Change "Before ANY code exploration" to "Before reading ANY files" - Add docs/config example to decision tree - Add new row for docs/configs in "When to Use What" table - Add rule cortexkit#6: "ALWAYS outline before sampling" Addresses feedback that code-centric language caused AFT to be skipped for markdown/documentation files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove Read from hooked tools list (conflicts with Edit validation) - Add guidance to use `aft read` via Bash for indexed reads - Add warning: use native Read tool when editing is needed Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Subagents don't follow ordering guarantees, so leaving "outline first" as a mid-step instruction doesn't work. Run outline yourself and include the output in the subagent prompt. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
5 tasks
ualtinok
added a commit
that referenced
this pull request
Apr 25, 2026
…llowups Second full-codebase audit found 38 items; 32 confirmed real after triple- verification, plus a third pass after Oracle review caught one introduced SSRF bypass. Security: - aft-cli: createGitHubIssue uses spawnSync with argv to prevent shell injection through repo/title (#6). - opencode + pi: restrict_to_project_root defaults to true for plugin contexts; the Rust CLI default stays false for direct/scripted use (#1). - opencode: per-server random RPC token (32B hex) stored in JSON port file; every request requires the token; legacy integer port files still parsed for backward compatibility (#23). - opencode: url-fetch SSRF guard with manual redirect handling (max 5 hops), full IPv6 expansion, and IPv4-mapped/compatible bypass detection (::ffff:127.0.0.1, ::127.0.0.1, [::]); allowPrivate escape hatch (#32 + Oracle followup). - Rust: handle_git_conflicts now validates each conflicted file path through ctx.validate_path() (#20). Cross-plugin parity: - pi-plugin pool keys bridges by realpathSync canonicalization, mirroring opencode (#5). - pi-plugin zoom multi-symbol fan-out routes through callBridge so each parallel request carries Pi's session_id (#16 — regression from v0.15.3). - pi-plugin tool-surface ALL_ONLY constants align with opencode (#9). - both bridges enforce 64MB MAX_STDOUT_BUFFER and treat overflow as crash (#10). - pi-plugin aft_transform validates per-op required parameters (#17). - both bridges' compareSemver implements semver pre-release ordering (#29). Rust correctness: - glob edit_match wraps multi-file writes in checkpoint snapshot with rollback on failure (#3). - LSP client kills+waits child on shutdown timeout and via Drop impl (#4). - type-checker working_dir uses config.project_root, not path.parent() (#7). - ast_search/grep return invalid_pattern errors instead of empty matches on malformed regex/AST patterns (#11). - zoom ambiguous suggestions output 1-based start-end line ranges (#12). - zoom line-range response uses clamped end_line (#13). - configure.validate_on_edit accepts booleans (#18). - checkpoint restore creates parent directories (#19). - lsp_hints paths_match uses canonical comparison + separator-bounded suffix matching (#22). - format.resolve_tool --version probe has 2s timeout (#24). - backup.canonicalize_key fallback logs at debug (#25). - read.handle_directory caps at 1000 entries with truncation note (#34). - read uses saturating_add/sub for end_line math (#36). - lsp_rename + lsp_find_references use consistent 1-based character (#37). - ast_search/replace comments now reference panic=unwind (#27). Workflow + docs: - release.yml has top-level concurrency control (#35). - test job runs bun build before publish-crates (#8). - release.yml uses sha256sum on Ubuntu (#29). - version-sync.mjs comment reflects 9 packages (#28). Verification: 726 Rust tests pass / 1 ignored (was 718, +8 new tests), 383 TS tests pass (was 362, +21 new tests covering RPC auth, SSRF guard, pool canonicalization, semver pre-release, structure validation, edit_match atomicity, IPv4-mapped IPv6 bypass detection). Typecheck + lint clean.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Installation
Test plan
🤖 Generated with Claude Code